nginx/Dockerfile

291 lines
11 KiB
Docker
Raw Permalink Normal View History

2024-03-17 00:30:57 +09:00
# syntax=docker/dockerfile:1
##
## Build
##
FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/alpine-base:3.19-latest AS build
WORKDIR /usr/local/src
ARG VERSION="1.25.4"
2024-03-20 09:30:14 +09:00
ARG MODSEC_VER=3.0.12
ARG MODSEC_NGX_VER=1.0.3
ARG OWASP_CRS_VER=4.0.0
2024-03-17 00:30:57 +09:00
### Fetch Build Dependencies
COPY patch /usr/local/src/patch
RUN set -xeu && \
apk --no-cache add \
autoconf \
automake \
build-base \
libtool \
musl-utils \
util-linux \
util-linux-dev \
tar \
openssl-dev \
pcre2-dev \
linux-headers \
libatomic_ops-dev \
zlib-dev \
libaio-dev \
bash \
alpine-sdk \
cmake \
git \
2024-03-20 09:30:14 +09:00
findutils \
pkgconf \
#mod security
byacc \
flex \
libxml2-dev \
lmdb-dev \
yajl-dev \
zlib-dev \
libfuzzy2-dev
RUN set -xeu && \
mkdir -p /usr/local/src/modsecurity && \
wget -qO - "https://github.com/owasp-modsecurity/ModSecurity/releases/download/v${MODSEC_VER}/modsecurity-v${MODSEC_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/modsecurity && \
cd /usr/local/src/modsecurity && \
./build.sh && \
./configure \
--prefix=/opt/modsecurity \
# --disable-debug-logs \
--with-pcre2=yes \
--with-libxml=yes \
--with-curl=no \
--with-ssdeep=yes \
--with-lmdb=yes \
--with-yajl=yes \
--with-lua=no \
--with-geoip=no \
--with-maxmind=no \
--disable-examples \
--disable-doxygen-doc \
&& \
CFLAGS="-Wno-error -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \
CPPFLAGS="-Wno-error -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \
LDLAGS='-Wl,-Bsymbolic-functions -flto=auto -Wl,--as-needed -pie -Wl,-z,relro -Wl,-z,now -Wl,-Bsymbolic -Wl,--gc-sections -fPIC -flto=auto -ffat-lto-objects' \
make -j `nproc` && \
make install && \
find /opt/modsecurity && \
ldd /opt/modsecurity/lib/libmodsecurity.so && \
rm -fr \
/opt/modsecurity/lib/libmodsecurity.a && \
/opt/modsecurity/lib/libmodsecurity.la
RUN set -xeu && \
mkdir -p /usr/local/src/modsecurity-nginx && \
wget -qO - "https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v${MODSEC_NGX_VER}/modsecurity-nginx-v${MODSEC_NGX_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/modsecurity-nginx
RUN set -xeu && \
mkdir -p /opt/owasp-crs && \
wget -qO - "https://github.com/coreruleset/coreruleset/archive/refs/tags/v${OWASP_CRS_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /opt/owasp-crs && \
mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
2024-03-17 00:30:57 +09:00
RUN set -xeu && \
git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli && \
cd ngx_brotli/deps/brotli && \
mkdir out && \
cd out && \
# -DCMAKE_CXX_FLAGS="-O3 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" \
cmake \
-DCMAKE_BUILD_TYPE=Release \
-DBUILD_SHARED_LIBS=OFF \
-DCMAKE_C_FLAGS="-O3 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" \
-DCMAKE_INSTALL_PREFIX=./installed .. \
&& \
cmake --build . --config Release --target brotlienc
# git clone https://github.com/yaoweibin/nginx_upstream_check_module && \
RUN set -xeu && \
git clone https://github.com/openresty/headers-more-nginx-module
RUN set -xeu && \
mkdir -p /usr/local/src/nginx && \
2024-03-20 09:30:14 +09:00
wget -qO - "https://nginx.org/download/nginx-${VERSION}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/nginx && \
2024-03-17 00:30:57 +09:00
cd /usr/local/src/nginx && \
for i in /usr/local/src/patch/*.patch; do \
echo "Applying ${i}..." && \
patch -Np1 -i "$i"; \
done && \
2024-03-20 09:30:14 +09:00
MODSECURITY_LIB="/opt/modsecurity/lib" \
MODSECURITY_INC="/opt/modsecurity/include" \
2024-03-17 00:30:57 +09:00
./configure \
--build="amazing from here" \
--with-cc-opt="-Wno-error -DTCP_FASTOPEN=23 -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \
--with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -Wl,--as-needed -pie -Wl,-z,relro -Wl,-z,now -Wl,-Bsymbolic -Wl,--gc-sections -fPIC -flto=auto -ffat-lto-objects' \
--prefix=/opt/nginx \
--add-module=/usr/local/src/headers-more-nginx-module \
--add-module=/usr/local/src/ngx_brotli \
2024-03-20 09:30:14 +09:00
--add-dynamic-module=/usr/local/src/modsecurity-nginx \
--modules-path=modules \
2024-03-17 00:30:57 +09:00
--conf-path=etc/nginx.conf \
--pid-path=tmp/nginx.pid \
--lock-path=tmp/nginx.lock \
--without-select_module \
--without-poll_module \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
2024-03-20 09:30:14 +09:00
--with-http_gunzip_module \
2024-03-17 00:30:57 +09:00
--with-http_gzip_static_module \
--without-http_ssi_module \
--without-http_userid_module \
--without-http_auth_basic_module \
--without-http_fastcgi_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--without-http_memcached_module \
--without-http_browser_module \
--http-client-body-temp-path=tmp/client_body \
--http-proxy-temp-path=tmp/proxy \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-mail_pop3_module \
2024-03-20 09:30:14 +09:00
--with-stream=dynamic \
2024-03-17 00:30:57 +09:00
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-pcre \
--with-pcre-jit \
--with-libatomic && \
make -j `nproc` && \
make install && \
ldd /opt/nginx/sbin/nginx && \
2024-03-20 09:30:14 +09:00
# find /opt/nginx/modules -type f -name '*.so' -print0 |awk -F'\0' '{printf("echo \"library %s\";ldd \"%s\"\n",$0,$0)}' |sh && \
2024-03-17 00:30:57 +09:00
find /opt/nginx && \
cat /opt/nginx/etc/nginx.conf && \
rm -r /opt/nginx/html/ && \
mkdir /opt/nginx/etc/conf.d/ && \
mkdir -p /opt/nginx/html/ && \
install -m644 html/index.html /opt/nginx/html/ && \
install -m644 html/50x.html /opt/nginx/html/ && \
ln -sf /dev/stdout /opt/nginx/logs/access.log && \
ln -sf /dev/stderr /opt/nginx/logs/error.log && \
cd /opt/nginx && \
rm \
etc/fastcgi_params \
etc/fastcgi_params.default \
etc/fastcgi.conf \
etc/fastcgi.conf.default \
etc/uwsgi_params \
etc/uwsgi_params.default \
etc/scgi_params \
etc/scgi_params.default && \
ldd sbin/nginx && \
strip -X -x -s -v sbin/nginx
2024-03-20 09:30:14 +09:00
RUN set -xeu && \
mkdir /opt/modsecurity/etc && \
mkdir -p /opt/nginx/logs/audit && \
cp -af /usr/local/src/modsecurity/modsecurity.conf-recommended /opt/modsecurity/etc/modsecurity.conf && \
cp -af /usr/local/src/modsecurity/unicode.mapping /opt/modsecurity/etc/unicode.mapping
2024-03-17 00:30:57 +09:00
##
## PKG
##
FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/alpine-base:3.19-latest AS pkg
RUN set -xeu && \
mkdir pkgs output &&\
apk --no-cache \
fetch -R -o pkgs \
openssl \
pcre2 \
zlib \
musl-utils \
2024-03-20 09:30:14 +09:00
#modsecurity
xz-libs \
libxml2 \
libfuzzy2 \
lmdb \
yajl \
libstdc++ \
2024-03-17 00:30:57 +09:00
&& \
rm -f \
pkgs/busybox-*.apk \
pkgs/ca-certificates-*.apk \
pkgs/libcrypto3-*.apk \
pkgs/libssl3-*.apk \
pkgs/ssl_client-*.apk && \
find pkgs -type f -name '*.apk' -print0 |awk -F'\0' '{printf("echo \"extracting %s\";tar -zxf \"%s\" -C output || exit 1\n",$0,$0)}' |sh && \
find output -type f -name '.*' -delete
##
## Deploy
##
FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/minimal-toolbox:3.19-latest
COPY --from=build /opt/nginx /opt/nginx
2024-03-20 09:30:14 +09:00
COPY --from=build /opt/owasp-crs /opt/owasp-crs
COPY --from=build /opt/modsecurity /opt/modsecurity
2024-03-17 00:30:57 +09:00
COPY --from=pkg output /pkg
2024-03-20 09:30:14 +09:00
COPY --from=build /opt/nginx /opt/nginx
COPY modsecurity.d /opt/modsecurity/etc
2024-03-17 00:30:57 +09:00
RUN set -xeu && \
cp -af /pkg/* / && \
rm -rf /pkg
RUN set -xeu && \
mkdir /docker-entrypoint.d
COPY nginx.conf /opt/nginx/etc/nginx.conf
COPY nginx.vh.no-default.conf /opt/nginx/etc/conf.d/default.conf
COPY docker-entrypoint.sh /
COPY /docker-entrypoint.d /docker-entrypoint.d
RUN set -xeu && \
mkdir -p /usr/local/sbin && \
ln -sf /opt/nginx/sbin/nginx /usr/local/sbin/nginx && \
mkdir -p /opt/nginx/etc/templates \
/opt/nginx/etc/stream-conf.d \
/opt/nginx/etc/conf.d \
/opt/nginx/tmp \
/opt/nginx/logs && \
chown -R 1000:1000 \
/opt/nginx/etc \
/opt/nginx/tmp \
2024-03-20 09:30:14 +09:00
/opt/nginx/logs && \
ln -sf ./conf.d/core-extra /opt/nginx/etc/nginx.extra.conf
2024-03-17 00:30:57 +09:00
WORKDIR /opt/nginx
LABEL org.opencontainers.image.authors="Sangbum Kim <sangbumkim@amuz.es>"
EXPOSE 8080 8443 8443/udp
STOPSIGNAL SIGQUIT
ENTRYPOINT [ "/sbin/tini", "-s", "--", "/docker-entrypoint.sh"]
USER 1000:1000
VOLUME ["/opt/nginx/etc/conf.d", "/opt/nginx/html", "/opt/nginx/tmp", "/opt/nginx/logs"]
ENV PATH="/opt/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
2024-03-21 02:26:44 +09:00
CMD ["nginx", "-g", "daemon off;"]
# buildah push 95713466eb harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-amd64-musl
# podman push 465bf7f815c2 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-arm64-musl
# podman manifest create \
# harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1 \
# harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-amd64-musl \
# harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1-arm64-musl
# podman push ba59d3263 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25.4-1
# podman push ba59d3263 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:1.25-latest
# podman push ba59d3263 harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/nginx:latest